Add SKE login command

Co-authored-by: Maximilian Geberl <[email protected]>

Author: Kai Kummerer

.gitignore

@@ -4,6 +4,7 @@ dist/
 
 # IDE
 .vscode
+.idea
 
 # OS generated files
 .DS_Store

go.mod

@@ -24,24 +24,37 @@ require (
 	golang.org/x/mod v0.16.0
 	golang.org/x/oauth2 v0.18.0
 	golang.org/x/text v0.14.0
+	k8s.io/apimachinery v0.29.2
+	k8s.io/client-go v0.29.2
+)
+
+require (
+	golang.org/x/term v0.18.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
 )
 
 require (
 	github.com/alessio/shellescape v1.4.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
 	github.com/danieljoos/wincred v1.2.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/imdario/mergo v0.3.6 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.1 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
-	github.com/rogpeppe/go-internal v1.10.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
@@ -56,10 +69,18 @@ require (
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect
-	golang.org/x/sys v0.16.0 // indirect
+	golang.org/x/net v0.22.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/protobuf v1.32.0 // indirect
-	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/api v0.29.2 // indirect
+	k8s.io/klog/v2 v2.110.1 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
 )

go.sum

@@ -2,6 +2,7 @@ package credentials
 
 import (
 	"github.com/stackitcloud/stackit-cli/internal/cmd/ske/credentials/describe"
+	"github.com/stackitcloud/stackit-cli/internal/cmd/ske/credentials/kubeconfig"
 	"github.com/stackitcloud/stackit-cli/internal/cmd/ske/credentials/rotate"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/args"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/utils"
@@ -24,4 +25,5 @@ func NewCmd() *cobra.Command {
 func addSubcommands(cmd *cobra.Command) {
 	cmd.AddCommand(describe.NewCmd())
 	cmd.AddCommand(rotate.NewCmd())
+	cmd.AddCommand(kubeconfig.NewCmd())
 }

internal/cmd/ske/credentials/credentials.go

@@ -0,0 +1,25 @@
+package kubeconfig
+
+import (
+	"github.com/stackitcloud/stackit-cli/internal/cmd/ske/credentials/kubeconfig/login"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/args"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/utils"
+
+	"github.com/spf13/cobra"
+)
+
+func NewCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "kubeconfig",
+		Short: "Provides functionality for SKE kubeconfig",
+		Long:  "Provides functionality for STACKIT Kubernetes Engine (SKE) kubeconfig",
+		Args:  args.NoArgs,
+		Run:   utils.CmdHelp,
+	}
+	addSubcommands(cmd)
+	return cmd
+}
+
+func addSubcommands(cmd *cobra.Command) {
+	cmd.AddCommand(login.NewCmd())
+}

internal/cmd/ske/credentials/kubeconfig/kubeconfig.go

@@ -0,0 +1,223 @@
+package login
+
+import (
+	"context"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"time"
+
+	"github.com/stackitcloud/stackit-cli/internal/pkg/cache"
+	"k8s.io/client-go/rest"
+
+	"github.com/stackitcloud/stackit-cli/internal/pkg/args"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/examples"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/services/ske/client"
+
+	"github.com/spf13/cobra"
+	"github.com/stackitcloud/stackit-sdk-go/services/ske"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes/scheme"
+	clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
+	"k8s.io/client-go/tools/auth/exec"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+type inputModel struct {
+	ProjectId   string
+	ClusterName string
+	CacheKey    string
+}
+
+func NewCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "login",
+		Short: "login plugin for kubectl",
+		Long:  "login plugin for kubectl to create a short-lived kubeconfig to authenticate against a STACKIT Kubernetes Engine (SKE) cluster. To get a kubeconfig to use with the login command use the 'kubeconfig create' command",
+		Args:  args.NoArgs,
+		Example: examples.Build(
+			examples.NewExample(
+				"login to a SKE cluster specified in the kubeconfig",
+				"$ kubectl get pod"),
+		),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := context.Background()
+
+			model, err := parseInput()
+			if err != nil {
+				return fmt.Errorf("login SKE kubeconfig: parseInput: %w", err)
+			}
+
+			// Configure API client
+			apiClient, err := client.ConfigureClient(cmd)
+			if err != nil {
+				return err
+			}
+
+			kubeconfig := getCachedKubeConfig(model.CacheKey)
+
+			if kubeconfig == nil {
+				return getCacheAndOutputKubeconfig(ctx, cmd, apiClient, model, false, nil)
+			}
+
+			certPem, _ := pem.Decode(kubeconfig.CertData)
+			if certPem == nil {
+				_ = cache.DeleteObject(model.CacheKey)
+				return getCacheAndOutputKubeconfig(ctx, cmd, apiClient, model, false, nil)
+			}
+
+			certificate, err := x509.ParseCertificate(certPem.Bytes)
+			if err != nil {
+				_ = cache.DeleteObject(model.CacheKey)
+				return getCacheAndOutputKubeconfig(ctx, cmd, apiClient, model, false, nil)
+			}
+
+			if time.Now().After(certificate.NotAfter.UTC()) {
+				// cert expired, request new
+				_ = cache.DeleteObject(model.CacheKey)
+				return getCacheAndOutputKubeconfig(ctx, cmd, apiClient, model, false, nil)
+			} else if time.Now().Add(time.Minute * 15).After(certificate.NotAfter.UTC()) {
+				// cert expires in 15min, refresh
+				return getCacheAndOutputKubeconfig(ctx, cmd, apiClient, model, true, kubeconfig)
+			}
+
+			if err := output(cmd, model.CacheKey, kubeconfig); err != nil {
+				return err
+			}
+			return nil
+		},
+	}
+	return cmd
+}
+
+func parseInput() (*inputModel, error) {
+	obj, _, err := exec.LoadExecCredentialFromEnv()
+	if err != nil {
+		return nil, fmt.Errorf("LoadExecCredentialFromEnv: %w", err)
+	}
+
+	if err := clientauthenticationv1.AddToScheme(scheme.Scheme); err != nil {
+		return nil, err
+	}
+
+	obj, err = scheme.Scheme.ConvertToVersion(obj, clientauthenticationv1.SchemeGroupVersion)
+	if err != nil {
+		return nil, fmt.Errorf("ConvertToVersion: %w", err)
+	}
+
+	execCredential, ok := obj.(*clientauthenticationv1.ExecCredential)
+	if !ok {
+		return nil, fmt.Errorf("Conversion to ExecCredential failed")
+	}
+	if execCredential == nil || execCredential.Spec.Cluster == nil {
+		return nil, fmt.Errorf("ExecCredential contains not all needed fields")
+	}
+	config := &SKEClusterConfig{}
+	err = json.Unmarshal(execCredential.Spec.Cluster.Config.Raw, config)
+	if err != nil {
+		return nil, fmt.Errorf("unmarshal: %w", err)
+	}
+
+	return &inputModel{
+		ClusterName: config.ClusterName,
+		ProjectId:   config.STACKITProjectID,
+		CacheKey:    fmt.Sprintf("ske-login-%x", sha256.Sum256([]byte(execCredential.Spec.Cluster.Server))),
+	}, nil
+}
+
+func buildRequest(ctx context.Context, apiClient *ske.APIClient, model *inputModel) ske.ApiCreateKubeconfigRequest {
+	req := apiClient.CreateKubeconfig(ctx, model.ProjectId, model.ClusterName)
+	expirationSeconds := "1800" // 30 min
+
+	return req.CreateKubeconfigPayload(ske.CreateKubeconfigPayload{ExpirationSeconds: &expirationSeconds})
+}
+
+func parseKubeConfigToExecCredential(kubeconfig *rest.Config) (*clientauthenticationv1.ExecCredential, error) {
+	certPem, _ := pem.Decode(kubeconfig.CertData)
+	if certPem == nil {
+		return nil, fmt.Errorf("login SKE kubeconfig")
+	}
+
+	certificate, err := x509.ParseCertificate(certPem.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("login SKE kubeconfig: %w", err)
+	}
+
+	outputExecCredential := clientauthenticationv1.ExecCredential{
+		TypeMeta: v1.TypeMeta{
+			APIVersion: clientauthenticationv1.SchemeGroupVersion.String(),
+			Kind:       "ExecCredential",
+		},
+		Status: &clientauthenticationv1.ExecCredentialStatus{
+			ExpirationTimestamp:   &v1.Time{Time: certificate.NotAfter.Add(-time.Minute * 15)},
+			ClientCertificateData: string(kubeconfig.CertData),
+			ClientKeyData:         string(kubeconfig.KeyData),
+		},
+	}
+	return &outputExecCredential, nil
+}
+
+func getCachedKubeConfig(key string) *rest.Config {
+	cachedKubeconfig, err := cache.GetObject(key)
+	if err != nil {
+		return nil
+	}
+
+	restConfig, err := clientcmd.RESTConfigFromKubeConfig(cachedKubeconfig)
+	if err != nil {
+		return nil
+	}
+
+	return restConfig
+}
+
+type SKEClusterConfig struct {
+	STACKITProjectID string `json:"stackitProjectId"`
+	ClusterName      string `json:"clusterName"`
+}
+
+func getCacheAndOutputKubeconfig(ctx context.Context, cmd *cobra.Command, apiClient *ske.APIClient, model *inputModel, refresh bool, oldKubeconfig *rest.Config) error {
+	req := buildRequest(ctx, apiClient, model)
+	kubeconfigResponse, err := req.Execute()
+	if err != nil {
+		if refresh {
+			return output(cmd, model.CacheKey, oldKubeconfig)
+		}
+		return fmt.Errorf("login SKE kubeconfig: requesting kubeconfig: %w", err)
+	}
+
+	kubeconfig, err := clientcmd.RESTConfigFromKubeConfig([]byte(*kubeconfigResponse.Kubeconfig))
+	if err != nil {
+		if refresh {
+			return output(cmd, model.CacheKey, oldKubeconfig)
+		}
+		return fmt.Errorf("login SKE kubeconfig: parsing kubeconfig: %w", err)
+	}
+	if err = cache.PutObject(model.CacheKey, []byte(*kubeconfigResponse.Kubeconfig)); err != nil {
+		if refresh {
+			return output(cmd, model.CacheKey, oldKubeconfig)
+		}
+		return fmt.Errorf("login SKE kubeconfig: caching kubeconfig: %w", err)
+	}
+
+	return output(cmd, model.CacheKey, kubeconfig)
+}
+
+func output(cmd *cobra.Command, cacheKey string, kubeconfig *rest.Config) error {
+	outputExecCredential, err := parseKubeConfigToExecCredential(kubeconfig)
+	if err != nil {
+		_ = cache.DeleteObject(cacheKey)
+		return fmt.Errorf("login SKE kubeconfig: converting to ExecCredential: %w", err)
+	}
+
+	output, err := json.Marshal(outputExecCredential)
+	if err != nil {
+		_ = cache.DeleteObject(cacheKey)
+		return fmt.Errorf("login SKE kubeconfig: marshal ExecCredential: %w", err)
+	}
+
+	cmd.Print(string(output))
+	return nil
+}